Petya, Medoc and the delivery of malicious software

When our Cyber Threat Intelligence team run passive threat assessments on behalf of organisations, we clearly define issues mapped to the cyber kill chain to demonstrate the view of an attacker.

One example of this is providing information on the presence within an organisation of vulnerable servers open to the Internet. These servers can be targeted by an attacker: to carry out reconnaissance for an attack, to breach the organisation’s security or to deliver a malicious payload such as ransomware.

Looking into the evidence behind Petya

Whilst the exact reason behind the recent Petya/notPetya ransomware/wiper outbreak is still being analysed and attributed, some hard evidence has come to light in relation to the distribution mechanism.

Ukraine suffered the majority of the impact due in part to the delivery of the ransomware via a compromised server residing on FQDN ‘upd[.]me-doc[.]com[.]ua’. This was observed in a tweet from the Ukraine Cyber Police account.

The tweet roughly translates to ‘this software routinely communicates with the destination server using the user agent of medoc1001189’.

Further tweets from the same account specify this server delivered an update (333kb in size) which resulted in further payloads being extracted and executed. This payload is believed to be the variant known as petya/notpetya.

The impact of an insecure server

The server in question resides at IP address 92[.]60[.]184[.]55 which resolves to reduk-55[.]colo0.kv[.]wnet[.]ua, via reverse lookup. The analysis shows a number of ports / services some of which are considered to be insecure, open and exposed to the internet.

The ports in question were as follows:

Customers using the Me-Doc application would receive software updates as expected from this server. @cyberpoliceUA have confirmed this server was used to deliver malicious software updates.

Ports exposed offer the opportunity for attackers to launch exploits if not appropriately patched, and in this case port 21 offers an ftp service, for file transfer. The protocol is often used by businesses to transfer large files.

The application providing the FTP service is ProFTPD 1.3.4.c which according to the maintainers is over 2 years old, and has trivial remote code execution exploits available to any attacker to gain root privileges.

Internet scanning is a daily occurrence with automated scripts offering to scan, exploit and compromise servers. Further vulnerable services included SSH which uses the outdated version of OpenSSH v5.4. This also has a number of exploits publicly available.

The importance of proactive vulnerability detection

Proactive vulnerability scanning and a mature security posture is critical to any business, and in this case, a country. The potential compromise of this server taking advantage of insecure protocols and long-standing vulnerabilities allowed for a ready-made Command and Control server to deliver ransomware via a software package that was used by a large number of organisations.

This again highlights the governance required for strict due diligence of companies in a supply chain and third party applications which can offer a critical path into a business as demonstrated by this incident.

Whilst the initial attack vector certainly appears to be Ukraine-centric, it’s highly feasible to expect new variants that could increase in sophistication in the coming weeks.

At Fujitsu, our combined vulnerability management and cyber threat intelligence services provide the capabilities to monitor and counter these threats for our customers. We have deep technical expertise with access to many open and closed intelligence sources.

When that is coupled with an understanding of the vulnerabilities on customer estates, we have the ability to provide the context necessary so our customers can quickly cut through the noise and concentrate their efforts where it is most applicable.